Wednesday, 2015-04-08

« Tuesday, 2015-04-07 Index Thursday, 2015-04-09 »
*** bdpayne has quit IRC00:02
*** salv-orlando has quit IRC00:10
*** dave-mccowan has joined #openstack-security00:13
*** bpokorny has quit IRC00:14
*** JAHoagie has quit IRC00:14
*** browne has joined #openstack-security00:33
*** tmcpeak has quit IRC01:45
*** salv-orlando has joined #openstack-security01:59
*** mgagne has quit IRC02:02
*** salv-orlando has quit IRC02:04
*** mgagne has joined #openstack-security02:08
*** mgagne is now known as Guest3992602:08
*** browne1 has joined #openstack-security02:34
*** browne has quit IRC02:37
*** gotajob has joined #openstack-security02:44
*** bpokorny has joined #openstack-security02:44
gotajobhi02:45
gotajobbye02:46
*** gotajob has left #openstack-security02:46
*** salv-orlando has joined #openstack-security03:28
*** tkelsey has joined #openstack-security03:49
*** tkelsey has quit IRC03:55
*** bpokorny has quit IRC04:00
*** salv-orlando has quit IRC04:08
*** aswadr has joined #openstack-security04:21
*** dave-mccowan has quit IRC05:02
*** salv-orlando has joined #openstack-security05:11
*** salv-orlando has quit IRC05:49
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Imported Translations from Transifex  https://review.openstack.org/17147206:16
*** tkelsey has joined #openstack-security06:42
*** tkelsey has quit IRC06:46
*** salv-orlando has joined #openstack-security07:14
*** salv-orl_ has joined #openstack-security07:50
*** salv-orlando has quit IRC07:55
*** browne1 has quit IRC08:02
*** browne has joined #openstack-security08:15
*** browne has quit IRC08:29
*** salv-orl_ has quit IRC08:47
*** hure_s has joined #openstack-security09:28
*** hure_s has quit IRC09:28
*** salv-orlando has joined #openstack-security10:08
*** sr_slack has joined #openstack-security10:10
*** sr_slack is now known as teh_slack10:30
*** tmcpeak has joined #openstack-security11:02
*** hbashk1 has joined #openstack-security11:05
*** hbashk1 has quit IRC11:12
*** bknudson1 has quit IRC12:16
*** browne has joined #openstack-security12:32
*** dave-mccowan has joined #openstack-security12:47
*** bknudson has joined #openstack-security13:00
*** asrangne has joined #openstack-security13:09
*** aswadr has quit IRC13:12
*** edmondsw has joined #openstack-security13:12
*** nkinder has quit IRC13:12
*** singlethink has joined #openstack-security13:25
*** browne has quit IRC13:37
*** browne has joined #openstack-security13:41
*** nkinder has joined #openstack-security14:02
*** browne has quit IRC14:04
*** JAHoagie has joined #openstack-security14:04
*** ndillon has joined #openstack-security14:09
*** salv-orlando has quit IRC14:12
*** JAHoagie has quit IRC14:15
*** asrangne__ has joined #openstack-security14:20
*** ndillon is now known as sicarie14:21
*** asrangne has quit IRC14:22
*** voodookid has joined #openstack-security14:23
*** tmcpeak has quit IRC14:30
*** browne has joined #openstack-security14:34
*** tmcpeak has joined #openstack-security14:43
*** dwyde has joined #openstack-security14:44
*** dwyde has quit IRC14:57
*** dwyde has joined #openstack-security14:59
*** JAHoagie has joined #openstack-security15:11
*** salv-orlando has joined #openstack-security15:12
*** bpokorny has joined #openstack-security15:15
*** singlethink has quit IRC15:56
*** dave-mccowan has quit IRC16:09
*** dave-mccowan has joined #openstack-security16:13
*** dwyde has quit IRC16:17
*** singlethink has joined #openstack-security16:22
*** singlethink has quit IRC16:26
*** asrangne__ has quit IRC16:28
*** singlethink has joined #openstack-security16:37
*** sicarie has left #openstack-security16:57
*** dwyde has joined #openstack-security16:58
*** sdake has joined #openstack-security17:05
sdakehey quick question about adding bandit as a non-voting gate17:05
sdakelooking at keystone I see they added a gate-tox-bandit gate17:06
sdakebut I don't see any tox code to start bandit inside keystone17:06
tmcpeakbknudson: ^17:14
tmcpeaksdake: check this: https://review.openstack.org/#/c/157930/617:15
sdakefound it thanks :)17:15
bknudsonsdake: here's how I set up the experimental job: https://review.openstack.org/#/c/157595/17:20
sdakebknudson thanks for the link - i'll submit that next - want to get tox in first17:21
sdakeprefer all our gating goes via tox17:21
bknudsony, you're going to need the tox env.17:21
tmcpeaksdake: which project are you working on?17:21
tmcpeakBarbican?17:21
bknudsonprobably should make sure it's called "bandit" so we're consistent17:21
sdakewhat is odd is a git pull of keystone doesn't show the first review even tho its +2/+A17:21
bknudsonsdake: it hasn't merged yet.17:21
sdaketmcpeak - magnum17:21
sdakebknudson got it thanks17:21
tmcpeakooh, cool17:21
* tmcpeak looks17:21
sdakeheard about it this morning in a team meeting17:22
tmcpeakawesome!17:22
sdakethe more linting the better ;)17:22
bknudsonwe need more team meetings17:22
sdakeoh it was an internal thing17:22
bknudsondo we have a security liaison for all the projects?17:22
tmcpeakthe profile that Keystone is using is probably appropriate for your use also, but I can work with you to make any profile changes for your project or anything else to help17:22
*** rlpple has joined #openstack-security17:22
sdakei used keystone profile and it kicked out some errors about yaml.load17:23
sdakebut those are busted, they need fixing anyway - so it actually found some real problems :)17:23
bknudsony, I don't know if we want a common profile for all openstack or a separate one for each project?17:23
bknudsonI have to create bandit jobs for the other keystone projects (keystoneclient and keystonemiddleware)17:23
tmcpeakseparate per project probably makes sense, although the one that Keystone is using is probably sensible for most17:24
sdakejust so I'm cear, there are about 200 test cases in bandit correct?17:25
sdake(for the commit log)17:25
tmcpeakthat sounds very high17:25
sdakeok I saw 0..25..50 etc thought those were the test cases17:26
tmcpeakI think there are about 30 plugins, the profile Keystone uses has probably half of those enabled.  Some of those plugins look for a few things (like blacklist functions)17:26
sdakemust have been files processed17:26
tmcpeaksdake: those are files processed17:26
*** Guest39926 is now known as mgagne17:29
*** mgagne has joined #openstack-security17:29
tmcpeaksdake: would you mind adding me on reviews for anything for your project? would like to follow along :)17:34
tmcpeakanything meaning any Bandit stuff17:34
sdakewill do tmcpeak17:34
tmcpeaksdake: thanks!17:34
sdakeyour gerrit id is tmcpeak?17:35
tmcpeaksdake: travis-mcpeak17:36
*** rlpple has quit IRC18:05
tmcpeakbknudson: you around?18:22
bknudsontmcpeak: y18:22
tmcpeakI'm going to put up something on Bandit wiki to help other projects get started with a Bandit gate like you did with Keystone18:23
tmcpeakwant to make sure I list all the right things :)18:23
tmcpeakso there is a change like sdake just did: https://review.openstack.org/#/c/171755/18:23
tmcpeakthis adds tox and the bandit config file18:23
tmcpeakare there any other changes to the project itself?18:24
tmcpeakI assume there is also a change in the projects gate config18:24
bknudsontmcpeak: https://review.openstack.org/#/c/170569/ is the infra change to have a non-voting gate job18:25
tmcpeakbknudson: cool, anything else?18:25
bknudsontmcpeak: no, that's all you need18:26
bknudsonbandit.yaml, tox env, and infra gate job18:26
bknudsonshould cover it.18:26
tmcpeakbknudson: ok awesome, so will the line deps = bandit~=0.10.0 automatically download it in the virtualenv?18:26
bknudsonwe might want to change the tox env from using bandit~=0.10.0 to having a separate test-requirements-bandit.txt with the bandit req18:27
bknudsontmcpeak: yes, the deps causes tox to install bandit to the venv.18:27
tmcpeakif you have that though, checkins won't work because the Infra job which checks requirements will complain18:27
tmcpeakright?18:27
tmcpeakie it will notice that your requirements don't match upstream18:27
bknudsonI think the infra job only checks *requirements.txt18:28
bknudsonnot deps in tox.ini18:28
bknudsonsome might consider that a bug18:28
tmcpeakoh, I didn't read your message correctly: test-requirements-bandit.txt18:28
bknudsonright, we can't have test-requirements-bandit.txt until bandit is in global-requirements18:29
bknudsonthat's why I used deps18:29
bknudsonI'd prefer test-requirements-bandit.txt because then it'll be updated automatically when global-requirements changes.18:29
tmcpeakhow does that work?18:30
bknudsonthere's a job that proposes updates to the requirements files when global-requirements changes.18:30
tmcpeakhow will it find the test-requirements-bandit.txt file?18:30
bknudsonI think it just looks for all *requirements*.txt files.18:31
tmcpeakalso is there any precedent for having a test tool use it's own .txt file for requirements?18:31
bknudsonnot that I know of.18:31
tmcpeakI'd prefer Bandit inclusion to be as unobtrusive as possible, ie require less special files/stuff18:31
tmcpeakbut you know this stuff a lot better than I18:32
tmcpeakso I'll defer to your judgement on best way to do it :)18:32
bknudsonthe crappy flake8 check just uses requirements.txt and test-requirements.txt because it needs all the packages installed.18:32
bknudsonI think people will be happy that bandit doesn't require all the packages installed.18:32
tmcpeakoh yeah18:32
tmcpeakgood point18:32
tmcpeakit does need YAML18:33
bknudsonI assume bandit has yaml in its requirements.txt18:33
tmcpeakyeah, it does18:33
bknudsonso all bandit reqs get installed along with bandit18:33
tmcpeakyep18:33
tmcpeakso where does this change you're talking about need to go?18:34
*** nkinder has quit IRC18:34
bknudsonso I'd expect test-requirements-bandit.txt will just have bandit~=0.10.0 or whatever global-requirements has when that merges.18:34
bknudsonthe change is in the tox.ini for each project and also need to create the requirements.txt file in each project.18:34
bknudsondeps = -r{toxinidir}/test-requirements-bandit.txt18:35
tmcpeakI've never seen that ~= before btw18:35
tmcpeakI've seen <= >= ==18:35
tmcpeakahh I see what you're saying18:35
bknudsonI could propose that change in keystone and make it depends-on the global-requirements change to add bandit.18:36
tmcpeakcool stuff18:36
tmcpeakyou think I should hold off on gate recommendations until we get this change done18:36
tmcpeakso i can point people to this18:37
tmcpeakit does seem like a better way18:37
tmcpeakor I guess I'll write up what we have18:37
tmcpeakand add this later18:37
bknudsonI agree that it would be good to get it somewhat "finalized" in one project before pushing it out everywhere.18:37
tmcpeakyeah18:37
tmcpeakI think you've set a good example though, and now people are moving :)18:37
bknudsonalthough maybe other projects are quicker to merge things than keystone...18:37
tmcpeakwhen you get this latest review in, I'll write up a blurb.  Explain how to do Bandit config, and tox, and change infra to set up the gate18:39
tmcpeakthen I'll add a piece at the end that says optionally projects may set up something like this: and point to your latest review18:39
dave-mccowantmcpeak, bknudson  i'm the barbican contributor who volunteered to work with bandit.  i've been following this discussion closely.  i'll be happy to beta test your instructions and start getting barbican ready today.18:40
tmcpeakdave-mccowan: awesome!18:41
tmcpeakI knew there was a Barbican guy somewhere18:42
tmcpeak:)18:42
tmcpeakdave-mccowan: I'll be really interested in feedback during the process too, and anything that's difficult18:43
tmcpeakalthough you're very familiar with Bandit18:43
dave-mccowantmcpeak  i'll let you know what i find.  i need to step out for a bit, but will start working on this in a couple hours.18:47
*** dave-mccowan has quit IRC18:47
tmcpeakdave-mccowan: sounds great, thanks!18:47
bknudsontmcpeak: here's the change to create t-r-b.txt: https://review.openstack.org/#/c/171772/18:48
tmcpeakbknudson: awesome18:48
tmcpeakdo you want to pin a version though?18:49
tmcpeakbandit==0.10.018:49
bknudsontmcpeak: I copied the line from global-requirements.txt18:49
bknudsonhttps://review.openstack.org/#/c/167126/1/global-requirements.txt18:49
bknudsonit has to be the same.18:49
tmcpeakoh, i think infra guys wanted a pinned version18:49
bknudsonso if g-r is wrong then that needs to be updated.18:49
tmcpeakthey told me that before18:49
tmcpeakyeah, they told me they really want a pinned version on any linter18:50
tmcpeakso that we don't break things when we introduce new functionality18:50
tmcpeakI'd set to bandit==0.10.0 there too18:50
tmcpeakand again in your change18:50
bknudsontmcpeak: comment on the review18:50
tmcpeakbknudson: cool, will do18:52
tmcpeakbknudson: still around?19:28
bknudsontmcpeak: y, where would I go?19:28
tmcpeaklol, good question19:29
tmcpeakso Keystone is currently set up as a non-voting job, right?19:29
tmcpeakif a project wants to set up a voting one, how is that done?19:29
bknudsontmcpeak: keystone is currently set up only with an experimental job19:29
bknudsonso you need to run `check experimental` to even see it19:30
bknudsonthe next step is to make it non-voting.19:30
tmcpeakbknduson: I thought this https://review.openstack.org/#/c/170569/2/zuul/layout.yaml made it non-voting19:30
tmcpeakoh, it's not merged19:30
tmcpeakI see19:30
bknudsontmcpeak: y, but that isn't merged.19:30
tmcpeakIf a project wants to make it voting, what further change would they need?19:30
tmcpeakHere's new wiki section btw: https://wiki.openstack.org/wiki/Security/Projects/Bandit#Gate_Testing_with_Bandit19:32
bknudsontmcpeak: hmm.. this change shows how I set it up initially as a nonvoting: https://review.openstack.org/#/c/157595/19:33
bknudsonhttps://review.openstack.org/#/c/157595/5/zuul/layout.yaml19:33
bknudsonso in order to make it voting, you just have voting: true, I guess.19:33
tmcpeakahh ok I missed that step19:34
bknudsonI think you can make a template for these jobs so it'll probably change in future when there's more projects doing it.19:34
bknudsony, I should have linked to that one... forgot that you're going to need to define the job for each project.19:34
bknudsonat least until there's a template or whatever... I don't know how it all works.19:35
*** singlethink has quit IRC19:38
tmcpeakcool, I'll add that19:38
*** singlethink has joined #openstack-security19:42
bknudsontmcpeak: regarding https://wiki.openstack.org/wiki/Security/Projects/Bandit#Gate_Testing_with_Bandit19:46
tmcpeakyep19:46
bknudsonstep 2 says "Add a test-requirement-bandit.txt file. " -- this isn't temporary, the temporary thing is having deps =bandit in tox.ini19:46
bknudsont-r-b.txt is the permanent solution.19:47
tmcpeakbknudson: well once it is in global requirements, why won't it just be listed in requirements.txt19:47
bknudsontmcpeak: requirements.txt is for run-time requirements.19:47
bknudsonyou don't need bandit to run keystone.19:47
tmcpeaksorry, I mean test-requirements.txt19:47
bknudsontest-requirements.txt contains a bunch of stuff that's not required to run bandit.19:48
bknudsonI don't want to have to install all that just to run bandit19:48
tmcpeakright, but presumably that's the case for a lot of other tools too19:48
bknudsonno, all the stuff in test-requirements.txt is required to run tox -e py2719:48
tmcpeakohhh19:48
tmcpeakI see what you're saying19:49
tmcpeakit's a tox environment that only has one requirement19:49
bknudsonright19:49
tmcpeakgotcha19:49
bknudsonone requirement for now... although hopefully it will stay that way19:49
tmcpeakso once it's in global requirements, what's going to change?19:49
tmcpeak(just so I get caught up to you)19:49
bknudsonwhen global-requirements changes, the proposal bot will automatically propose an update to test-requirements-bandit.txt19:50
tmcpeakok, with you so far19:50
bknudsonif we don't care about that then we might as well leave it in tox.ini.19:50
tmcpeakno, that's good19:51
tmcpeakso if we set it up this way, it's automated19:51
bknudsonI think we do want that, though... for bug fixes anyways.19:51
tmcpeakat least automated proposal19:51
tmcpeakyeah, seems like19:51
tmcpeakcool, I'll update wiki19:51
tmcpeakthanks for explaining19:51
*** JAHoagie has quit IRC19:53
brownetmcpeak: also #1 in your wiki has a URL that references a patch.  Might be better to point to github location of that file since the patch merged19:54
*** sdake_ has joined #openstack-security19:55
*** rlpple has joined #openstack-security19:57
*** rlpple has quit IRC19:57
tmcpeakbrowne: good point19:57
tmcpeakthank you19:57
brownenp19:57
*** sdake has quit IRC19:58
*** JAHoagie has joined #openstack-security20:00
*** nkinder has joined #openstack-security20:09
*** dwyde has quit IRC20:12
*** dave-mccowan has joined #openstack-security20:14
*** sdake_ has quit IRC20:28
*** dwyde has joined #openstack-security20:32
*** JAHoagie has quit IRC20:36
*** dwyde has quit IRC21:13
*** gabriela has joined #openstack-security21:14
*** edmondsw has quit IRC21:15
*** JAHoagie has joined #openstack-security21:18
*** gabriela has left #openstack-security21:22
*** dwyde has joined #openstack-security21:36
*** bknudson has left #openstack-security21:58
*** dwyde has quit IRC22:09
*** jamielennox is now known as jamielennox|away22:11
*** salv-orlando has quit IRC22:47
*** salv-orlando has joined #openstack-security22:48
*** singlethink has quit IRC22:48
*** salv-orlando has quit IRC22:50
*** browne has quit IRC23:03
*** browne has joined #openstack-security23:04
*** voodookid has quit IRC23:07
*** jamielennox|away is now known as jamielennox23:12
*** sdake has joined #openstack-security23:40
*** sdake_ has joined #openstack-security23:42
*** sdake has quit IRC23:45
*** gabriela has joined #openstack-security23:48
gabrielac23:49
« Tuesday, 2015-04-07 Index Thursday, 2015-04-09 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!